Privacy Advisor

POLAND—Functions of Polish Data Protection Officer To Be Reformed

February 1, 2013

Tomaszewska4_JoannaBy Joanna Tomaszewska

In order to become more entrepreneur-friendly, the Polish government has initiated changes to reduce the administrative burdens in conducting business which also intend to amend Polish Data Protection Act of August 29, 1997. Alongside, the Association of Information Security Administrators together with the participation of the Polish Data Protection Authority holds a number of seminars relating to the planned transition of functions of the data protection officer, known in Poland as the information security administrator (DPO).

The proposed amendments affect the duty for data-filing systems to be registered in a DPA-maintained register and are connected with changes to the DPO.

The proposed amendments are in line with forthcoming changes to the DPO proposed by a draft EU regulation relating to the processing of personal data as well as the manner in which DPO’s function in certain other EU member states.

The proposed amendments are very welcome, since they will significantly clarify certain issues relating to the functioning of the DPO in Poland, which until now has only been regulated in a residual manner by one provision of the act, which states as follows: “The controller shall appoint an administrator of information security who shall supervise compliance with the security principles…, unless the controller performs such activities by himself”.

The proposed amendments would result in the following:

  • Exempting the duty to register data-filing systems (other than those containing so-called sensitive data) in the DPA-maintained register, provided that a DPO has been appointed and such appointment has been notified to the DPA. This will operate alongside existing exemptions contained in the DPA, where registration is not required.
  • Providing greater details of the functions of a DPO, in particular as concern the qualifications, appointment and functions thereof.

The details of the planned amendments are as follows:

Appointment of the DPO

The main planned amendment specifies that the new regime, appointment of a DPO and related changes are optional. Therefore, in the event that no DPO is appointed, the data controller should himself conduct the newly created duties of a DPO, as stated below, apart from a duty to prepare a report for a data controller.

The draft proposal also includes an option for appointing deputy DPOs who would fulfill the same qualifications as a DPO.

Qualifications of the DPO

Anyone acting as a DPO should have completed higher education and possess significant knowledge on the provisions of data protection law, as well as having full legal capacity and no criminal record as regards any crime of a willful misconduct.

 Independent position of the DPO

The independent nature of a DPO is to be guaranteed in order to enable the DPO to properly perform its functions. The DPO shall report directly to the head of the organization, which guarantees the independence and organizational autonomy of the DPO.

Scope of responsibilities of the DPO

In order to eliminate current uncertainty as regards the scope of a DPO’s responsibilities, the proposal clearly defines the DPO’s duties as follows:

  • Ensuring the application of data protection provisions, in particular as regards performing activities to verify that the processing of personal data has been done in a manner compliant with data protection provisions and the preparation of a report to be presented to the a data controller.
  • Ensuring the preparation and continual updating of documentations outlining security measures, as required by the DPA, and ensuring the compliance with the rules specified therein.
  • Ensuring that any persons authorized to process personal data have acknowledged and accepted the relevant data protection provisions.
  • Maintaining the public register of the data-filing systems within a given organization, containing information as required by the data registration form. It is envisaged that the precise manner in which such register should be maintained will be specified by separate provisions to be issued alongside the amended act.

The proposal also envisages the possibility that a DPO may undertake other entrusted duties provided that these do not affect the performance of the aforementioned primary duties.

 Role of the DPO in audits performed by the DPA

In the event that a DPO is appointed and such appointment is notified to the register of DPOs to be maintained by the DPA, the DPA may cease to conduct audits itself and may instead request that the DPO conducts an audit, within a given time, and provides the DPA with a report which verifies that personal data has been processed in accordance with the applicable data protection provisions. It does not, however, entirely exempt the DPA from performing its controlling duties.

Registration of the DPO with the DPA

The data controller which appointed the DPO and notified such appointment to the DPA will be exempted from the duty to register data-filing systems with the DPA, other than data-filing systems containing so-called sensitive data. Another planned change to the duty to register data-filing systems with the DPA is the exemption of paper data-filing systems: i.e. those not maintained in IT systems, from that duty unless they contain so-called sensitive data. The DPA will clarify precisely which information will need to be provided so as to register a DPO’s appointment with the DPA and a special form will be provided for that purpose, by way of separate legislation to be issued pursuant to the act.

The aforementioned planned amendments are currently at an early stage of works and it is, accordingly, difficult to envisage when and in what form they are likely to be adopted. Nevertheless, they are certainly heading in the right direction and would ensure that a DPO possesses real power as regards their functions within the organization.

Furthermore, the amendments would ensure that DPOs would enforce greater compliance with data protection rules within corporations, raising awareness of data protection issues and freeing the data controller from the duty to register data-filing systems with the DPA.

The new rules would avoid the current inconsistency with which DPOs among Polish data controllers perform their functions and would eliminate the uncertainty surrounding performing of the DPO’s function. Although these amendments are still in the preliminary stage of preparation and it is unclear when and in what form they will be adopted, they serve as a good indication of the direction in which Polish law may evolve.

Joanna Tomaszewska Ph.D. is a senior associate in the Intellectual Property, New Technologies and Protection of Information Department of Spaczyński, Szczepaniak & Wspólnicy, Warsaw Office. She has experience in data protection and privacy law, information technology law, media and advertising and intellectual property matters. She can be reached at joanna.tomaszewska@ssw.pl.